search

panda-re / panda

Platform for Architecture-Neutral Dynamic Analysis
https://panda.re
Other
2.48k stars 479 forks source link

PyPANDA: Fix syscall args list size #1425

Closed be32826 closed 9 months ago

be32826 commented 9 months ago

Before this change, accessing non-first syscall args in PyPANDA (such as in the below hook) gives incorrect bytes.

@panda.ppp("syscalls2", "on_all_sys_return2")
def all_sysret(cpu, pc, call, rp):
    print(list(rp.args[1]))
lacraig2 commented 9 months ago

This needs a fix, but this isn't quite the right one.

The code you're changing in create_panda_datatypes.py (here) is reflecting code in syscalls.

The problem as I see it is that create_panda_datatypes.py defines the structure as:

            uint8_t args[{GLOBAL_MAX_SYSCALL_ARG_SIZE}]
                 [{GLOBAL_MAX_SYSCALL_ARG_SIZE}]; /**< arguments */

when in fact the structure should be:

    uint8_t args[GLOBAL_MAX_SYSCALL_ARGS]
                [GLOBAL_MAX_SYSCALL_ARG_SIZE]; /**< arguments */

The definition of GLOBAL_MAX_SYSCALL_ARG_SIZE of 8 makes sense given that it's defined in C as sizeof(uint64_t). Realistically, this second dimension should change to GLOBAL_MAX_SYSCALL_ARG_SIZE to correctly reflect the C code.

be32826 commented 9 months ago

Fixed, thanks!